doc.: ieee 802.11-04/0476r3 submission may 2004 jesse walker and emily qi, intel corporationslide 1...
TRANSCRIPT
![Page 1: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/1.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 1
doc.: IEEE 802.11-04/0476r3
Submission
Pre-Keying
Jesse Walker and Emily Qi
Intel Corporation
![Page 2: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/2.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 2
doc.: IEEE 802.11-04/0476r3
Submission
Agenda• Problem Statement
• Design Goals
• Pre-Keying
• Usage
• Open Issues
• Q&A
• Straw Poll
![Page 3: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/3.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 3
doc.: IEEE 802.11-04/0476r3
Submission
Problem Statement• 802.11r seeks to optimize STA transition time from
one AP to another– VoIP requires << 50 msec 802.11 transition times,
including 802.11 security setup– The VoIP market perceives 802.11i as too expensive
• 802.11k measurement frames can be useful before association– But 802.11k messages used in this way require protection
prior to STA transitioning from one AP to another– 802.11i keys not available until after association
• Protection for Reassociation frames is desirable, too
![Page 4: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/4.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 4
doc.: IEEE 802.11-04/0476r3
Submission
Design Goals• Make 802.11i keys available before association
– “Make-before-break” architecture
• Reuse 802.11i framework to make keys available– Do not redesign 802.11i infrastructure
– Minimize amount of new invention
• Address the stated concerns of the TGi minority who voted against doc 03/008 and its offspring
• Give an example make-before-break solution so TGr can understand its implications
![Page 5: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/5.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 5
doc.: IEEE 802.11-04/0476r3
Submission
Pre-keying Overview• Reuse the 802.11i Pre-authentication mechanism for keying
– 802.11i 4-Way Handshake messages are encoded in 802.1X frames– Use pre-authentication mechanisms forward 802.1X frames between a STA
and a new AP via an AP already associated with the STA• Introduce two new 802.11i messages:
– Pre-Keying Request, sent from STA to targeted AP to request pre-keying• Identifies STA MAC Address, PMKID of PMK to use
– Pre-Keying Reject, send from targeted AP to STA if request cannot be honored
– AP may respond to Pre-Keying Request by initiating a 4-Way Handshake over the pre-authentication channel
• Introduce PTK caching– 4-Way Handshake via the Pre-authentication channel populates the PTKSA
cache– Inactive PTKSAs are (perhaps agressively) timed out
• Move security policy agreement from Association to 4-Way Handshake– Add PTKSA cache timeout value to RSN IE sent AP STA
![Page 6: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/6.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 6
doc.: IEEE 802.11-04/0476r3
Submission
Ingredients: Pre-Authentication Channel
STA AP 1
AP 2
802.lX over 802.11
802.lX over DS
•All frames use 802.11 Pre-authentication Ethertype (0F-AC) instead of 802.1X Ethertype (88-8E)
•All frames are 802.1X frames
•STA AP 2 Frames have Src Addr = STA’s MAC address, Dest Addr = AP 2’s BSSID
•AP 2 STA have Src Addr = AP 2’s BSSID, Dest Addr = STA’s MAC address
![Page 7: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/7.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 7
doc.: IEEE 802.11-04/0476r3
Submission
Ingredients: PMK Caching
STA AP
STA PMK Cache
AP’s BSSID, PMKID, PMK
AP2’s BSSID, PMKID, PMK
STA’s MAC Addr, PMKID, PMK
AP PMK Cache
STA2’s MAC Addr, PMKID, PMK
If a STA and AP share a cached PMK, they needn’t reauthenticate
![Page 8: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/8.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 8
doc.: IEEE 802.11-04/0476r3
Submission
Ingredients: 4-Way Handshake
EAPOL-Key(ANonce)
Pick Random ANonce
EAPOL-Key(Unicast, SNonce, MIC, STA RSN IE)
EAPOL-Key(ANonce, MIC, AP RSN IE, GTK)
Pick Random SNonce, Derive PTK = EAPOL-PRF(PMK, ANonce | SNonce | AP MAC Addr | STA MAC Addr)
Derive PTK
EAPOL-Key(MIC)
Install TK, GTK Install TK, GTK
APSTA
PMKPMK
![Page 9: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/9.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 9
doc.: IEEE 802.11-04/0476r3
Submission
Some Observations• 802.11i 4-Way Handshake messages are encoded as
802.1X messages– So could be forwarded over pre-authentication channel by simply
changing the Ethertype– 802.11i does not define how to send 4-Way Handshake messages
over the Pre-authentication
• 802.11i ties policy negotiation to association– But has been reworked for association-less IBSS case
• 802.11i 4-Way Handshake is self-protecting– Security unaffected by the message path
• Largely re-aligns 802.11i with the original 802.11 architecture
![Page 10: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/10.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 10
doc.: IEEE 802.11-04/0476r3
Submission
Usage• On first contact, STA uses existing 802.11i
– Discovery Open System Authentication Association 802.1X authentication 4-Way Handshake Data exchange
• After 4-Way Handshake completes STA may use pre-keying if desired to optimize AP-to-AP transition– Discovery Pre-key Reassociate Data exchange
• If desired, STA may use pre-keyed TK to protect other management messages prior to association– 802.11k Protected Action Frames
• If keys are in place prior to AP-to-AP transition, then they can be used to protect Reassociation– Protection of Disassociation, Deauthentication becomes meaningful
![Page 11: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/11.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 11
doc.: IEEE 802.11-04/0476r3
Submission
What’s Missing from 802.11i?• Minor change to Key Management state machines required to support pre-
keying– 4-Way Handshake, Group Key Handshake messages may be encapsulated using the
Pre-authentication Ethertype– Change state machines to track whether keying messages exchanged over normal or
over pre-authentication channel• STA needs a Request message to kick-start AP
– Must identify the STA and the PMK used• STA needs feedback if AP does not have the required PMK
– This can’t be secured so is only a hint• PTK rules need slight tinkering to permit pre-keying without association
– APs should not cache PTKs forever– PTKs can’t be used across associations
• RSN IE changes– STA needs feedback Re: PTK timeout– STA and AP have to negotiate security policy in 4-Way Handshake instead of
Reassociate– Need to advertise support for pre-keying
![Page 12: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/12.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 12
doc.: IEEE 802.11-04/0476r3
Submission
Some Open Issues• PTK caching potentially a resource pig and must be controlled• Identify modifications needed to 802.1X state machines to support pre-
keying• Prevent same PTK from being used across two associations
– PTK reuse across association breaks replay protection mechanism
• What if STA transitions to the new AP before pre-keying completes?• What if STA transitions to a different AP before pre-keying completes?• How to handle GTK updates?
– The AP can send GTK updates over the pre-authentication channel if the STA is not associated
– But what to do is STA moves? Security associations are stateful
• What to with pre-key request from an “already associated” STA?• Other information that can be transferred over the pre-authentication
channel?
![Page 13: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/13.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 13
doc.: IEEE 802.11-04/0476r3
Submission
Q&A• Where do the cached PMKs come from?
– Out of Scope. These can be provisioned by, e.g., pre-authentication, some IETF/IRTF “standard” back-end protocol, e.g. proactive keying, or by a proprietary key provisioning scheme, e.g., Cisco’s
• What about subnet boundary crossing?– Out of Scope. Since it is based on the pre-authentication channel, it is a
LAN-only solution.
• Why not use some other channel?– We know of no other candidates. Please suggest one.
• Why reuse the 4-Way Handshake?– We don’t want to invent a new protocol. Getting a key establishment
scheme right is hard. And the political reality suggests we try.
![Page 14: Doc.: IEEE 802.11-04/0476r3 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Pre-Keying Jesse Walker and Emily Qi Intel Corporation](https://reader035.vdocuments.us/reader035/viewer/2022081821/56649ed05503460f94bddc10/html5/thumbnails/14.jpg)
May 2004
Jesse Walker and Emily Qi, Intel CorporationSlide 14
doc.: IEEE 802.11-04/0476r3
Submission
Feedback?